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ABSTRACT 

Industrial process control systems are time-critical systems 
where reliable communications between sensors and actua¬ 
tors need to be guaranteed within strict deadlines to main¬ 
tain safe operation of all the components of the system. 
WirelessHART is the most widely adopted standard which 
serves as the medium of communication in industrial se¬ 
tups due to its support for Time Division Multiple Access 
(TDMA) based communication, multiple channels, chan¬ 
nel hopping, centralized architecture, redundant routes and 
avoidance of spatial re-use of channels. However, the com¬ 
munication schedule in WirelessHART network is decided 
by a centralized network manager at the time of network 
initialization and the same communication schedule repeats 
every hyper-period. Due to predictability in the time slots 
of the communication schedule, these systems are vulnera¬ 
ble to timing attacks which eventually can disrupt the safety 
of the system. In this work, we present a moving target 
defense mechanism, the SlotSwapper, which uses schedule 
randomization techniques to randomize the time slots over 
a hyper-period schedule, while still preserving all the feasi¬ 
bility constraints of a real-time WirelessHART network and 
makes the schedule uncertain every hyper-period. We tested 
the feasibility of the generated schedules on random topolo¬ 
gies with 100 simulated motes in Cooja simulator. We use 
schedule entropy to measure the confidentiality of our al¬ 
gorithm in terms of randomness in the time slots of the 
generated schedules. 
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1. INTRODUCTION 

Time-critical systems such as the industrial process con¬ 
trol systems are real-time cyber-physical systems (CPS) that 
monitor and control the production lines in a manufacturing 
plant. The number of devices in such setup keeps increas¬ 
ing. To support more devices and to cope up with frequent 
changes in the network topology due to addition (removal) 
of devices to (from) the network, a switch of the commu¬ 
nication infrastructure from wired networks to wireless net¬ 
works is desirable. Among the existing wireless sensor net¬ 
work (WSN) standards, WirelessHART is best suited for the 
industrial process control systems due to its reliable TDMA- 
based schedule, centralized architecture, multi-channel sup¬ 
port, channel hopping, redundancy in routes, and avoidance 
of spatial re-use of channels. 
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Although the use of wireless brings flexibility and adapt¬ 
ability to the communication infrastructure, it increases the 
threats of cyber attacks. Some recent sophisticated attacks 
against critical infrastructures such as Stuxnet [1] and Drag¬ 
onfly [2] have alerted us to the shaky protection of the 
conventional air gap solution. The main components of a 
WirelessHART network are the sensors, actuators, Gate¬ 
way, a network manager, and multiple access points (AP). 
Each communication between these devices are real-time 
flows with fixed periods and deadlines. To make the flows 
schedulable, the schedule in a WirelessHART network is pre¬ 
determined by the centralized network manager at the time 
of network initialization. The same schedule is repeated over 
every hyper-period ( i.e ., lowest common multiple of the pe¬ 
riods of all the flows in the network), until there is any 
change in the network topology, such as addition/removal 
of new/existing devices to/from the network. The repeti¬ 
tive execution of the deterministic flow schedule in a Wire¬ 
lessHART network over every hyper-period makes these sys¬ 
tems vulnerable to timing attacks. Such repetition greatly 
helps the attacker to analyze the eavesdropped traces and 
infer the schedule. With the inferred schedule, the attacker 
can further launch various strategic destructive attack steps. 
For instance, the attacker can selectively jam the transmis¬ 
sions from/to a certain critical sensor/actuator which can 
eventually breach the safety of the system. 

In this work, we aim at reducing the predictability of 
the time slots in the communication schedule of a real-time 
WirelessHART network. We propose a moving target de¬ 
fense (MTD) mechanism, the SlotSwapper, that random¬ 
izes the time slots in the communication schedule over ev¬ 
ery hyper-period, satisfying all the feasibility constraints of 
a real-time WirelessHART network as follows— (1) dead¬ 
lines of all real-time flows in the network are to be satisfied, 
(2) the hop sequences associated with each flow are to be 
preserved and (3) no conflicting transmissions in the net¬ 
work are allowed. From our analysis, the attacker who can 
monitor the wireless transmissions needs at least two hyper¬ 
periods to infer the schedule. Randomizing the schedule over 
every hyper-period renders the attacker’s inference futile, 
thereby greatly improving the confidentiality of the Wire¬ 
lessHART network’s operations. More varied are the slots 
in a schedule, more difficult it is for the attacker to predict 
them. Hence, the measure of uncertainty in the time slots 
of a schedule can be expressed in terms of the amount of 
randomness in the time slots over the hyper-period sched¬ 
ules generated by our algorithm. We re-defined schedule en¬ 
tropy [3] as a metric to measure the uncertainty in predicting 
the time slots. We illustrated the feasibility of our proposed 
algorithm on random topologies with 100 simulated nodes 
in Contiki Cooja [4]. To the best of our knowledge, this 



is the first work on randomization to reduce the determin¬ 
ism of the time slots of a hyper-period schedule in real-time 
WirelessHART networks. 

2. RELATED WORK 

Two notable works in the literature which adopt ran¬ 
domization techniques in the context of real-time processor 
scheduling are taskshuffler [3] and SPARTA [5]. [3] presents a 
schedule randomization protocol, the taskshuffler, that shuf¬ 
fles a set of fixed priority real-time tasks on a uniprocessor 
system. [5] proposes SPARTA, a scheduler to randomize the 
leakage points in the schedule protecting the system from 
Differential Power Analysis (DPA) attacks. However, both 
of these works are on uniprocessor system. Our problem is 
even harder than multi-processor scheduling, m channels 
and n real-time flows of our network can be mapped to m 
processors and n real-time tasks respectively. However, the 
conflicting transmissions among the flows impose additional 
constraint in our network which makes our problem even 
harder than multi-processor scheduling. 

Due to support for TDMA schedule in WirelessHART net¬ 
works, these networks are vulnerable to selective jamming 
attacks [6]. [7,8] survey various possible jamming attacks and 
the key ideas of existing security mechanisms against such 
attacks in WSNs. [9] proposes various types of side-channel 
attacks and their respective countermeasures in WSN. The 
countermeasures against jamming attacks can be provided 
from physical-layer solutions as in [7,10] or cyber-space so¬ 
lutions such as [11,12], [13] presents the steps of an attacker 
to launch jamming attacks in industrial process control sys¬ 
tems. Recent works such as [14] and [15] provide counter¬ 
measures against timing attacks in single and multi-channel 
WSN respectively by permuting the slot utilization pattern 
at the node level over a super-frame to randomize the sched¬ 
ule. However, the flows considered in these works are not 
associated with deadlines, hence, randomization of slot uti¬ 
lization pattern at the node level makes the flows schedula- 
ble. Our problem is more complex. Each flow in our net¬ 
work is a real-time flow with a strict deadline. Permuting 
the time-slots at each node does not guarantee deadline sat¬ 
isfaction of all the real-time flows in our network, hence, 
existing solutions in [14] and [15] are not applicable. 

3. WIRELESSHART BACKGROUND 

The WirelessHART protocol, being compliant with IEEE 
802.15.4, is the first open wireless communication standard 
for measurement and control in network and process indus¬ 
try [16]. A WirelessHART network consists of a Gateway, 
multiple field devices, APs and a centralized network man¬ 
ager which are connected via wireless mesh networks. The 
network manager, connected to the Gateway, is responsible 
for managing the devices, scheduling, creating the routes 
and optimizing the network. The field devices are wireless 
sensors and actuators which can either transmit or receive 
in a particular time slot. Also, in a time slot, a receiver can 
receive from exactly one sender. Multiple APs are connected 
to the Gateway via wired connections to provide redundant 
paths between the Gateway and the network devices. The 
key features of the WirelessHART network for which it is 
suitable for process industries include 

TDMA: For reliable collision-free communications in a Wire¬ 
lessHART network, time is globally synchronized and slotted 
into 10ms time slots within which a network device sends a 
packet and receives its corresponding acknowledgment. 


Channel and route diversity: WirelessHART supports a 
maximum of 16 channels [17] at a frequency band of 2.4 GHz. 
To avoid interference from neighboring wireless systems, it 
adopts channel hopping in every time slot. A channel is 
blacklisted if it suffers from external interference. Wire¬ 
lessHART allows route diversity by transmitting a packet 
multiple times via multiple paths over different channels. 

Avoidance of spatial re-use of channels: To avoid in¬ 
terference and to increase reliability, WirelessHART avoids 
spatial re-use of channels [17]. The physical channel as¬ 
signed to a link in a particular time slot is given by [17], 
Ch p = ( ASN + Chi) mod m, where ASN represents Abso¬ 
lute Slot Number and increases at every slot, Chi and Ch p 
are the logical and physical channels assigned to a node, m 
denotes the number of channels in the network. 

A WirelessHART network is represented as a graph G = 

( V,E ), where V is the set of nodes which are the sensors, 
actuators and Gateway; E is the set of edges or links between 
the devices. An edge e = u —> v, u, v £ V, is part of G, if and 
only if device u can reliably communicate with device v. In 
a transmission along an edge u —> v, the transmitting node, 
u , is the sender and the receiving node, v, is the receiver of 
the transmission. 

Definition 1: Two transmissions along edges u —> v and 
w —> x, where u, v,w,x £ V , are said to he conflicting 
transmissions, if both of them have the same sender or the 
same receiver, i.e., if (u = w) V (v = w) V (u = x) V (v = x). 
For each edge u —» v £ E, there exists a set of conflicting 
transmissions in G. To keep track of the conflicting trans¬ 
missions in G, we store an adjacency list known as the Con¬ 
flict List. Each index i in the list corresponds to an edge 
in E and the list corresponding to i stores the list of edges 
which generate conflicting transmissions with i. 

An end-to-end communication between a sensor and an 
actuator occurs in two phases: a sensing phase and a con¬ 
trol phase during which the communications are between the 
sensors and the Gateway and between the Gateway and the 
actuators respectively. 

4. SYSTEM MODEL 

Our system model consists of a WirelessHART network 
G = (V,E) and n end-to-end flows T = {Ju, Ti,... T n }- 
Each flow Ti £ T periodically generates a packet at the 
source node Si £ V with period pi. The packet passes via 
Gateway and reaches the destination node dj £ V \ {s;} 
within deadline Si. We assume that our flows are of implicit 
deadline, i.e., Si < pi. A packet is scheduled in more than 
one routes between the source and destination for reliability. 

Definition 2: The release time (rij) of the j th instance 
of flow Ti (j > 1) is the time at which the j th instance of 
Ti is released at the source node Si. rij is defined as 

rij = O' - 1) • Pi- (1) 

Definition 3: The number of hops in a route of a flow 
T is the number of intermediate devices between the source 
( Si ) and the destination (d;) in the route of T . 

Definition 4: Given a graph G with m channels and a set 
of flows T , a feasible schedule S is a sequence of trans¬ 
missions over the slots in S along the edges in G. Each 
transmission is a mapping of a flow to a channel in a slot 
satisfying the following conditions: 



1 . No transmission conflict: Two transmissions along 
u —y v and w —» x can be scheduled in the same time slot t, 
if u —y v and w —> x are non-conflicting transmissions; 

2. No collision: If u —» v uses channel y and w —> x uses 
channel z in the same time slot t, then y ^ z, \/y, z £ [ 1 , m\; 

3. No deadline violation: If a flow Tj, 1 < j < n, has 
h hops, then all the h hops of Tj are to be scheduled within 
the deadline 5j; 

4 . Flow sequence preservation: If a flow Tj has h hops, 
then the k th hop (1 < k < h) cannot be scheduled until all 
the previous k — 1 hops are scheduled. 

We assume that the network manager blacklists those 
channels from the network in which the probability of suc¬ 
cessful transmission is less than a certain threshold [18]. 
Therefore, the number of packet drops in the network can be 
neglected. At the time of network initialization, the network 
manager decides the schedule depending on the number of 
available channels, the topology of the network and avail¬ 
able routes for each flow [17], [19]. Given a graph G, a set 
of n flows T over G and m channels, the network manager 
runs any scheduling algorithm A that generates a schedule 
S satisfying all the conditions of Definition 4. The network 
manager then informs all the network devices about the al¬ 
located slots in which they can transmit (receive) messages 
from specific neighbors. The network devices become ac¬ 
tive only in those slots in which they can transmit (receive) 
messages. The same schedule repeats every hyper-period. 

5. THREAT MODEL 

The main objective of the adversary is to select a critical 
sensor or an actuator as the victim node in the network and 
predict the time slots in which the victim node sends (re¬ 
ceives) packets to (from) its neighboring nodes by observing 
the traffic in the network. Our adversary model is based on 
the following assumptions:- 

1. The adversary is aware of the network parameters such 
as the number of channels adopted by the network. 

2. The adversary is equipped with multiple antennae, hence, 
he is capable of listening to all 16 channels in 2.4 GHz 
ISM band in the network. 

Based on the above assumptions, the adversary has the fol¬ 
lowing capabilities: 

Capability 1: The adversary can target a specific node 
(sensor or actuator) as the victim node in the network and 
monitor all communications associated with that node. Af¬ 
ter analyzing the traffic for a sufficiently long period of time, 
the adversary can predict the time slots in which the victim 
node communicates with its neighbors. 

Capability 2: Due to repetitive nature of the communica¬ 
tion schedule, the adversary can estimate the hyper-period 
of the schedule. The adversary can use this estimate in the 
subsequent liyper-periods to infer the communication time 
slots of the victim node. 

Capability 3: The adversary can reverse engineer the chan¬ 
nel hopping sequences by silently observing the channel ac¬ 
tivities in the network [ 20 ]. 

With the above three capabilities, the adversary can exe¬ 
cute further destructive attack steps. For instance, the ad¬ 
versary can target specific transmissions from (to) certain 
critical sensors (actuators) and can selectively jam the tar¬ 
geted transmissions in specific time slots, thereby causing 



Figure 1: A network graph with six nodes and one AP 
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Table 1: Two schedules Si and S 2 over 8 time slots with 
three flows Ti, T 2 , T 3 where .sq — 1, s-> — 4. *3 — 2 and 
d\ = d 2 = ds = AP. 


disruptive effect on the system. Due to repetitive nature of 
the hyper-period schedules, same flow gets transmitted in 
the same time slot over every hyper-period. Hence, selec¬ 
tively jamming the predicted channel in specific time slots 
over every hyper-period results in jamming the targeted flow 
with probability 1. Different from the constant jamming 
attack that jams all the transmissions, selective jamming 
is more stealthy as it allows the attacker to strategically 
target certain critical sensors and/or actuators within their 
proximity with much lower radio transmission power. This 
reduces the overhead and cost for the attacker to implement 
the jamming attack [21]. In contrast, random jamming that 
does not infer the schedule and jams in randomly selected 
slots is much less effective [ 22 ]. 

Attack consequences: Selectively jamming the transmis¬ 
sions from a critical sensor node results in blocking the sen¬ 
sor data to reach the Gateway. As a result, proper con¬ 
trol commands cannot be delivered to the actuators which 
in turn may result in degraded performance of the system. 
Also, selectively jamming the control commands to reach 
the actuators may hamper the safety of the system. 

Motivation of our work: The main objective of our work 
is to develop a MTD technique, the SlotSwapper, that ran¬ 
domizes the communication time slots over every hyper¬ 
period schedule such that the schedule changes before the 
attacker can estimate it. We present a motivating example 
to illustrate how the threat can be addressed by randomizing 
the time slots in every hyper-period schedule. 

Example 1: Consider the network graph shown in Fig¬ 
ure 1 with two channels, three flows, Fi, F 2 and F 3 where 
the sources are s 1 = 1, S 2 = 4, S 3 = 2; the destinations 
are di = d 2 = efe = AP; the periods and the dealines are 
Pi = P 3 = Si = £3 = 8 , P 2 = 82 = 4 respectively. Consider 
Si in Table 1 to be the hyper-period schedule over the flows. 
Consider node 1 to be the victim node. In the traditional 
TDMA-based real-time WirelessHART network, the network 
starts with schedule Si which repeats every 8 time slots. An 
attacker listening to the channels in the network will find 
nodes 1 and 2 communicating every 8 time slots. In par¬ 
ticular, to identify this repetitive pattern, the attacker needs 
to listen to the network for at least two hyper-periods, i.e., 
16 time slots. The attacker can launch selective jamming 




attack earliest in the 17 th slot. With our proposed MTD 
technique, a new schedule is followed in each hyper-period, 
i.e., if Si is followed in the first eight slots, then S 2 will be 
followed in the next eight slots and so on. However, there 
is no communication between nodes 1 and 2 in slot 1 in S 2 , 
i.e., the communicating time slots in two consecutive hyper¬ 
periods are different. To identify the repetitive patterns in 
the schedule, the attacker needs to monitor the communi¬ 
cations for at least two hyper-periods. Hence, by changing 
the schedule every hyper-period, the system will change at 
a faster pace compared to the learning pace of the attacker, 
rendering further strategic destructive attack steps (e.g., se¬ 
lective jamming) infeasible. 

6. PROPOSED MTD TECHNIQUE 

Our proposed MTD technique, the SlotSwapper, consists 
of two main phases— (1) An offline schedule generation 
phase ( 2 ) an online schedule selection phase. Sched-GenQ 
considers an initial hyper-period schedule B for a set of n 
flows T over a graph G, and generates a new feasible sched¬ 
ule S' by randomizing the slots in B. However, randomiza¬ 
tion of time slots in B is to be done in such a way that all the 
conditions of generating a feasible schedule (Definition 4) are 
obeyed. To reduce the repeatability of time slots in B, we 
propose to run Sched-Genf) K times (K is a large number) 
in offline mode and generate a set of feasible hyper-period 
schedules S. We suggest to select a schedule uniformly at 
random every hyper-period from S and execute that sched¬ 
ule over that hyper-period. 


Algorithm 1: SlotSwapper 

1 S — {0};// a base scehdule 

2 for i=l,2 upto K do 

3 |_ S = § U Sched-Gen{); 

4 S = Select a random schedule from § every hyper-period ; 


Algorithm 2: Sched-Gen 
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for tick = 1,2, . . . , hp do 
for j = 1,2, . . . , |.F| do 

if tick == J-j .deadline then 
inst = tick/J-j .deadline; 
for p = 1,2, . . . ,J-j.n_hops do 
< 71 = slot of p th hop of inst; 
eligJlist = {};// empty list 
if m — — 111 single-channel 
then 

lb = inst * J- j .release.time; 
ub = inst * J-j .deadline; 
for a' t = lb, lb+1,. . ., ub do 
if «S / [< 7 ^] 7 ^ J-j then 

Add o' t to the eligAist; 


15 

16 


arandom = ra,ndom.{eligslots); 

Swap {a t , (Jrandom); 


17 

18 
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21 


else 

c_c/i = channel of p th hop of inst; 
if p —— HI first hop 
then 

|_ lb = inst * J-j .period; 


22 

23 


else 

|_ lb = slot of (p — l) t/l hop of inst + 1 ; 


24 

25 

26 


if p == J 7 j .njiops II last hop 
then 

ub = inst * J-j .deadline; 


27 

28 

29 

30 

31 

32 

33 

34 

35 


else 

ub = slot of (p + l) th hop of inst - 1 ; 

for a' t = lb, lb + 1,. . . , ub do 
for ch = 1,2,. . . ,m do 

b\ — trConf {at, c_ch, a' t , ch, C); 

62 = deadPr{at, C-ch, a t , ch); 

63 — flowPr{at, C-ch, a t , ch); 
if b\ &&; 62 && 63 == 1 then 

Add {a t ,ch) to elig-list; 


36 

37 


{a, c) = random {elig-list); 
swap {a t , c_ch, a, c); 


38 


update hop_list, edge_list and S'; 


Offline Randomized Schedule Generator : Algorithm 2 
presents an overview of Sched-GenQ. Table 2 summarizes 
the notations used in the algorithm. We present an example 
to illustrate the steps of Sched-Genf). 


G 

a network graph over V nodes and |i?| edges 

J 7 

a set of n flows defined over G 

m 

number of channels in the network 

hp 

hyper-period of n flows 

B 

a base schedule consisting of mapping of a channel in a slot to a 
flow over one hp 

C 

Conflict List corresponding to the network graph G 

S' 

a copy of the base schedule B 

hop-list 

a dictionary to store hop number to slot mapping of all the 
flow instances in J 7 

edge-list 

a dictionary to map channel to edge in a particular slot in S'. 


Table 2: List of notations used in the algorithm. 


Example 2: Consider the same setting as in Figure 1 and 
Example 1. Let Si in Table 1 be the base schedule. Let us 
consider the 1 st hop of J -3 in <Si with at = 4 and c_ch = 1. 
The window corresponding to 1 st hop of J -3 is [1,7]. For 
every slot a[ £ [1,7] and every channel ch £ [1,2], we call 
trConf() and check for conflicting transmission. 2 —> 3 
has conflicting transmission with [1 —> 2 , 2 —> 4, 3 —>• AP] in 
S\. Therefore, (slot,channel) pairs such as, (1,1), (5,2) and 
(6,2) are rejected due to transmission conflict with (4,1). 
Similarly, (slot,channel) pairs such as (5,1) and (7,2) are 
also rejected by function deadPrQ due to violation of dead¬ 
lines of the flow instances, (slot,channel) pairs (5,1) and 


39 return S'; 


(7, 2) correspond to the second instance of T 2 with release 
time at 5 th slot and deadline at 8 th slot. Hence, the second 
instance of T 2 cannot be swapped with any other slot before 
slot 5 or after slot 8 . Similarly, flowPrf) does not allow 
(slot,channel) pairs (1,2), (6,2) and (7,2) in the eligible list 
in order to preserve the hop sequences of flows. If the trans¬ 
mission corresponding to l s< hop of 1 st instance of T 2 (via 
edge 4 —> 5) of (slot, channel) pair (1,2) is allowed to swap 
with (4,1), then the second hop of that instance of T 2 would 
have been scheduled before the first hop, violating the hop 
sequences of the flow instances. Finally, the list of eligible 
(slot,channel) pairs are — [(2,1), (2, 2), (3,1), (3, 2), (4, 2), 

( 6 ,1), (7,1)]. Let (3,2) be the randomly selected element. 
Swapping the transmissions and the flow instances between 
(3, 2) and (4,1) and iterating the same procedure over all the 
flow instances generates a completely new feasible schedule. 

Online Selection of Schedules: On executing Sched_Gen() 
K times in offline mode, we get a set of feasible schedules S. 
At the time of network initialization, each node is informed 
about the time-slots in which it can send/receive messages in 
each of these K hyper-period schedules. The online schedule 
selector runs at each node once in every hyper-period, se¬ 
lects a schedule S from S uniformly at random and executes 
S over that hyper-period. To ensure that the same schedule 




is selected at each node, we propose to use a pseudo-random 
number generator (PRNG) [23] (assumed to be secure) ini¬ 
tialized with the same seed at each node. This allows each 
node to select the same schedule every hyper-period without 
any additional communication. 

7. MEASURE OF UNCERTAINTY 

Given a set of schedules § generated by Sched_Gen (), we 
need to quantify the amount of uncertainty in the schedules 
in S. In [3], schedule entropy is used to measure the uncer¬ 
tainty of a given schedule for a uniprocessor system. We 
have redefined schedule entropy as a function of the slot and 
channel entropy to measure the randomness in the schedules 
in S. In a multi-channel WirelessHART network, each of the 
slots <t; in a schedule § consists of m channels which can be 
represented as cr, = (cu, c; 2 , • ■ ■, Ci m }. Given a hyper-period 
schedule S over l slots and m channels for a set of flows T, 
the occurrence of the j th flow Tj in the k th channel of i th slot 
is a discrete random variable with possible outcomes from 
0 to n, where 0 represents idle flow, n is the total number 
of flows in T. Let dk = j denotes the j th flow occurring in 
the k th channel of i th slot of S. However, the occurrence of 
the j th flow in the k th channel of the i th slot restricts the 
occurrence of some other flow T' :j in the same channel of the 
same slot. Also, if a flow T :l completes its hops in the i th 
slot in the schedule, it cannot occur in the subsequent slots 
until the arrival of its next instance. We therefore, define 
Schedule entropy as 

Definition 5: Schedule entropy over a set of flows T for 
a WirelessHART network with m channels is the conditional 
entropy of T) occurring in the k th channel of the i th slot, 
given the entropy of all the slots from 1 to i— 1. R is repre¬ 
sented as 

i 

*(*) = £ H((Ti\cri,CT 2 , • • • ,(Ti-l) (2) 

i= 1 

n n n 

H(Oi) = ~ ^ £ ••• £ Pr ( C il> C i2,---,C im ) 

cn =0 Cj2 =0 Cj m = 0 

log 2 Pr(cii,c i2 5 • • • ? Cim ) (3) 

For a multi-channel WirelessHART network with n flows 
(n > 16), the number of possible permutations in the cal¬ 
culation of the joint probability for each slot is exponential. 
Hence, we consider the empirical probability distribution of 
the flows across all the channels in each slot which is an 
upper-approximated value of slot entropy as the joint prob¬ 
ability is always less than or equal to the sum of individ¬ 
ual probabilities [24]. Further, calculation of conditional en¬ 
tropy in Equation (2) involves joint probability distribution 
of slots in 5, which is exponential in nature. So, we consider 
the empirical probability distribution of the slots in S. 

Definition 6: Upper-approximated slot entropy filer,) 

and Upper-approximated schedule entropy H(S ) are de¬ 
fined respectively as follows 

m n 

H{ai) = - £ £ Vr{dk = j ) log 2 Pr(c»fc = j ) (4) 

k =1 j =0 
l 

H{S) (5) 

i= 1 


where Pr {dk = j ) is the probability mass function of the j th 
flow occurring in the k th channel of the i th slot. 

8. EVALUATION 

Simulation setup: We use Cooja simulator [4] of Con- 
tiki 3.0 to test the feasibility of our schedules. We gen¬ 
erated three random topologies with 100 simulated Tmote 
Sky motes by varying the degree of nodes ( 9 ) or the number 
of incoming and outgoing edges incident on a node — (1) 
Graph A (6 between 2 to 4) (2) Graph B (6 between 3 to 6) 
(3) Graph C (6 between 3 to 8). More the degree of a node, 
more are the chances of conflicting transmissions and less 
is the number of available flows for a particular time-slot. 
Nodes with highest number of neighbors are considered to 
be the APs. 

Flow Generation: A fraction (a) percent of the nodes 
are randomly selected as the source and destination nodes. 
The source and destination nodes are disjoint. In our ex¬ 
periments we varied a between 20-80%. We selected the 
number of hops of each flow to be between 2 to 8 [25] and 
considered the shortest path as the primary path. The flows 
have implicit-deadline with periods varying randomly in the 
range of 2 7 to 2 10 . 

Experiments: We fixed the hyper-period at 2 10 time slots 
and ran experiments upto 10000 hyper-periods with the num¬ 
ber of flows and the number of channels varying between 
10 to 40 and 1 to 4 respectively. For each condition, we 
generated 100 random instances and measured the upper 

approximated schedule entropy ( H(S )) for each of these in¬ 
stances. Figure 2 shows H(S) for all the tested scenarios. It 

has been observed that H(S) is maximum for single-channel 
WirelessHART network for all three graphs. This is because 
in single-channel WirelessHART networks, there is no con¬ 
flicting transmissions among the flows in the network. As a 
result, a flow can be scheduled at any slot within its release 

time and deadline. For a fixed number of channels, H(S) 
increases significantly with increase in the number of flows 
upto 30. After that, there is no significant increase in the 

value of H(S) with increase in the number of flows. This is 
because, with increase in the number of flows more flows can 
appear in a slot. However, as the number of flows increase, 
the number of conflicting transmissions among the flows in¬ 
crease which in turn restricts the nmnber of available flows 
to be scheduled in a particular slot. H(S) also increases with 
increase in the number of channels between 2 to 4, as the 
number of available positions for a flow to be scheduled get 
increased. However, it has been observed that with increase 

in the number of channels, the increase in H(S) is signif¬ 
icantly less for Graph C. Among all the three graphs, the 
number of edges is maximum in Graph C resulting in more 
conflicting transmissions among the flows thereby restricting 
the number of available positions to schedule a flow. 

Although we ran our algorithm upto 10000 hyper-periods 
to measure the randomness in the generated schedules, the 
amount of memory available to each Tmote sky mote is not 
sufficiently large to store large number of schedules. We 
measured that each mote can only support a maximum of 
2000 time slot information. We observed that, if a node is in 
the path of all the 40 flows, then it requires to store at-least 
80 time slot information per schedule (40 for transmissions 
and 40 for re-transmissions). With this specification, we 
were able to store 25 schedules in each node. We can man- 
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Figure 2: Upper Approximated Schedule Entropy over Graph A,Graph B and Graph C, with number of flows varying between 
10 to 40 and number of channels between 1 to 4 with a hyper-period of 1024 time slots 


ually tune the nodes with different sets of schedules after 
several hyper-periods to further reduce the chance of pre¬ 
dicting the schedules. Our MTD technique only involves 
an additional random number generation in each node once 
in every hyper-period, the power consumption of which is 
negligibly small. 

9. CONCLUSION 

In this work, we presented an MTD mechanism, the SlotSwap- 
per, to reduce the predictability of TDMA slots in a real¬ 
time WirelessHART network. We used schedule entropy to 
measure the uncertainty of the schedules generated by our 
algorithm. We illustrated the feasibility of the schedules on 
simulated networks in Cooja with 100 Tmote sky motes. 
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